Nomad - Consul Networking

Hey there,
i am trying to setup a Nomad+Consul cluster on bare metal machines with only public ip (no shared private net). I wanna have a master node with nomad and consul in server mode and a client node with nomad and consul in client mode.
The server config + the job declaration can be found here: Consul Networking

I dont understand the networking part fully.
When i use

env {
        REDIS_HOST = "${NOMAD_UPSTREAM_IP_redis}"

is this then nomad or consul which resolves the IP? What is best practise there?

And the biggest issue currently is, how does the ingress health check work? The ingress gateway itself (see also Consul Networking - #2 by ownyrd) works as expected but it can not access the flask endpoint to do the health check.

Can somebody help please?
Even a reference github repo with best practise configs would be helpful.